VBA to MYSQL security
Hi
We currently have a database system which is a VBA front end and a local MYSQL backend connected by ODBC.
Users authenticate directly with the MYSQL backend to gain access to the system.
We have been advised by a security specialist to improve the infrasturure as they have suggested that as the users authenticates directly with the mysql db there is the posibility to sql injection issues.
Any advice on how to improve this would be gratefully received.
thanks
We currently have a database system which is a VBA front end and a local MYSQL backend connected by ODBC.
Users authenticate directly with the MYSQL backend to gain access to the system.
We have been advised by a security specialist to improve the infrasturure as they have suggested that as the users authenticates directly with the mysql db there is the posibility to sql injection issues.
Any advice on how to improve this would be gratefully received.
thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry this is possibly a bit of a stupid question, but how would they achieve/do this? Is it just by manipulating login boxes of the system?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, i think one of my major issues is that we are using ODBC to connect the frontend to backend with a single DB user for all app users.
Is there a way of connecting to the backend using the app users either by adjusting ODBC or looking at a different connectivity option.
Is there a way of connecting to the backend using the app users either by adjusting ODBC or looking at a different connectivity option.
SQL Injection occurs when the inputs are not handled securely by the programming (logic error); e.g. the input could allow an attack.
The question you just posed sounds like an entirely different security question regarding how the users login. Please elaborate.
The question you just posed sounds like an entirely different security question regarding how the users login. Please elaborate.
ASKER
We basically had two issues with our system get picked up.
Firstly was the injection issue and secondly was the users authenticating with the DB that also holds the data using a single user ODBC connection.
We think we are going to alter the system to use DNSless setup to connect to a DB for user access and once the user has logged in correctly a DNSless connection to the data DB.
Does this sounds more sensible?
Firstly was the injection issue and secondly was the users authenticating with the DB that also holds the data using a single user ODBC connection.
We think we are going to alter the system to use DNSless setup to connect to a DB for user access and once the user has logged in correctly a DNSless connection to the data DB.
Does this sounds more sensible?
An attack surface is the sum of the different points (attack vectors) from where an unauthorized user can inject or steal data from a given environment. Eliminating possible attack vectors is the first place to start when securing your systems.https://blog.serverdensity.com/security-principles-and-practices-how-to-approach-security/
If the DSN was removed, DSNless access would force server-side access to the database; e.g. a direct server-side ADOBC connection. Thus, DSNless seems like a good thing if you wanted to restrict access to just the server.
As John eluded to, this area is subjective; it depends on the issue you are facing and answering more questions might help point you in the right direction:
What are the security issues you are having or potentially facing?
Are users connecting to the server remotely and accessing the database?
How do the users sign in now?
How can you tell which user is currently logged in?
Are they using a website or application to access the database?
More input is needed.
Suggested close-out if your question is answered:
Designate user-level security and restrict permissions. #a42335156 (Accepted Solution, 1/4 points)
Remove public access of database, unless necessary; if necessary that your database has public access, acquire expert advice on network/server/database security and best practices thereof #a42335222 (Assisted Solution, 1/4 points)
Remove any code that allows for SQL injection; use prepared statements with parameterized inputs; and/or use sanitized and filtered inputs. #a42338315 (Assisted Solution, 1/4 points)
Direct login can allow a malevolent user to run damaging SQL commands #a42339063 (Assisted Solution, 1/4 points)
ASKER